Cyber Resilience

CVE-2025-7401

Critical

Published: 11 July 2025

Published
11 July 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0188 83.6th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-7401 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Codecanyon (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 16.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and CM-11 (User-installed Software).

Deeper analysis

The Premium Age Verification / Restriction for WordPress plugin for WordPress contains an arbitrary file read and write vulnerability stemming from insufficiently protected remote support functionality in remote_tunnel.php. The flaw affects all versions through 3.0.2 and is tracked as CVE-2025-7401 with a CVSS 3.1 score of 9.8 and CWE-798.

Unauthenticated attackers can exploit the issue remotely without any user interaction to read from or write to arbitrary files on the hosting server, enabling exposure of sensitive data or remote code execution. The EPSS score remains flat at a low 0.0188 with no material increase after disclosure. Public references point to the vendor listing on CodeCanyon and a detailed entry from Wordfence for further technical context.

EU & UK References

Vulnerability details

The Premium Age Verification / Restriction for WordPress plugin for WordPress is vulnerable to arbitrary file read and write due to the existence of an insufficiently protected remote support functionality in remote_tunnel.php in all versions up to, and including, 3.0.2.…

more

This makes it possible for unauthenticated attackers to read from or write to arbitrary files on the affected site's server which may make the exposure of sensitive information or remote code execution possible.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Vulnerability in public-facing WordPress plugin enables remote unauthenticated arbitrary file read/write (via hard-coded credentials), directly facilitating initial access via T1190 and web shell deployment (T1505.003) for RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2016-20026Shared CWE-798
CVE-2025-42890Shared CWE-798
CVE-2020-36911Shared CWE-798
CVE-2026-35503Shared CWE-798
CVE-2017-20234Shared CWE-798
CVE-2026-32834Shared CWE-798
CVE-2026-27073Shared CWE-798
CVE-2026-30701Shared CWE-798
CVE-2025-10850Shared CWE-798
CVE-2024-50688Shared CWE-798

Affected Assets

Codecanyon
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely patching of the vulnerable plugin versions up to 3.0.2 to eliminate the arbitrary file read/write vulnerability in remote_tunnel.php.

prevent

Prohibits unauthorized installation of third-party WordPress plugins like Premium Age Verification, preventing deployment of components with unprotected remote support functionality.

prevent

Explicitly defines and restricts permitted actions without authentication, preventing unauthenticated arbitrary file read/write via the remote_tunnel.php endpoint.

References